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Sir: - 
I, NaoW Matsuhira, the Applicant in the above-Identified patent application declare as 
fallows: . 

1 . lam the applicant and Inventor of the subject matter described and claimed In 

the above-Identified application. 

Z, Prior to December29, 2QD0, Fujitsu limited requested, via written request, the 

preparation of a Japanese patent application, on which the present application 
is based, to A. Arikl of A. Aokl, Jshlda & Associates, who Is a patent attorney in 
Japan and an agent of the Japanese patent application (see Exhibit II and 
English translation of Exhibit II). 

3. Prior to December 29, 2000, materials for the application were sent from 
Fujfeu Limited to A Ao id (see Exhibit I and English translation of Exhibit 
The materials included an "Inventor Declaration 0 dectartng that the invenfion 
disclosed in the attachment was prior to' December 29, 2000, aa welt as a 
"Specification of Invention* (dated prior to December 29, 2000), 

4. The English translation of Exhibit I shows the supportfor claims 1-4, 8-10 and 
14 cf the above-Menfffied application. The portions of the English translation 



of Exhibit I evidencing exemplary support are supplied as parenthetical 
annotations within a copy of the independent claims, as befowt 

1. A packet filtering method (see for example, English translation of 
Exhibit I, Claim 1 , page 1> characterized by storing filtering information fbr use in 
filtering at a receiving side in an encrypted packet to be sent to the receiving side 
and sending- H from a sending side, (see e.g,, English translation of Exhibit I, 
Embodiments, first paragraph on page 5) wherein an IpvS extended header 
added to an Ipy6 header or in sfiow label region in an Ipv6 header is used to 
transmit the filtering Information as to prevent the filtering information from being 
encrypted when the packet Is a packet in compliance with Ipv6, wherein said 
filtering Information is used for identilylng a speciflo value showing a Vbip 
performing a VoIP communication, (sea e.g M English translation of Exhibit I, page 
2, claim 5; and Mode of Operation on page 4, continuing onto page 5; Figure 10) . 

2. A packet filtering method characterized by receiving an encrypted 
packet, at a receiving side, from a sending side, detecting filtering Information 
stored in that packBt, holding predetermined filtering information of the receiving 
side, comparing filtering information of the sending side detected from the packet 
with the filtering Information of the receiving side, and, when the two do not 
match, discarding that packet, (See e.g„ English translation of ExhM 1 f 
.Embodiments) second paragraph on page 5} wherein an Ipv8 extended header 
added to an [pv6 header or in a flow label region in an IpvS header is used to 
transmit the filtering Information so as to prevent the filtering Information from 
being encrypted', when the packet is a packet In compliance with Ipv6 f wherafn 
said filtering Information Is used fbr identifying a specific value showjng a VoIP 
'performing a- VoIP communication." (see e.g,. English translation of Exhibit I, 
page 2, claim 5; and Mode of Operation on page 4, continuing onto page 5; 
Figure 10) 

3. Communication equipment at a packet sending side including a 
function unit fbr achieving a packet tittering, seed communication equipment 
characterfeed by havirtg at least a setting unit for setting filtering Information, a 
filter key holding unit for holding the filtering information input by the setting unit 
as a filter key, and a filter key storing function unit for receiving as input the held 
filter key and storing the filter key in a header portion of an encrypted packet, 
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(See ag.» English translation of Exhibit I, Embodiments, page 5, ffost paragraph 
and Figure 8) wherein an Ipv6 extended header added to an lpv6 header or In a 
flow label region In ah IpvB header Is used to transmit the filtering information so 
as to prevent the filtering information from being encrypted, when the packet is a 
packet in compliance with IpvB, wherein said filtering information is used for 
Identifying a specific value showing a VoIP performing a VoIP communication,- 
(see e.g, f English translation of Exhibit l, page 2, cteim 5; and Mods of Opefatfon 
on page 4, continuing onto page 5; Figure 10) 

4w Communication equipment of a packet leceMng side including a 
function unit for packet filtering, said communication equipment characterized by 
being provided with: a filter key detecting unit for receiving an encrypted packet 
sent from a sending side white storing information as a filter key in a header 
portion of the packet and detecting the filter key from the header portion; artd a 
comparing function unit for comparing a filter key of -a sending side detected by 
the filter key detecting unit with a lifter key of the receiving side held In advance, 
determining If the two do not match, and r when they do not match, discarding the 
received packet, (See e,g M English translation of Exhibit 1 , Embodiments, second 
paragraph on page 5) wherein an IpvB extended header added to an IpvS header 
or In a flow label region In an Ipv6 header Js used to transmit the filtering 
information so as to prevent the filtering Information from being encrypted, uhen 
file packet is a packet in compliance with IpvB, wherein said filtering key is used 
for identifying a specific value showing a VoIP a VoIP performing a VoIP 
communication, (see s.g M English translation of Exhibit I. page 2. claim 5; and 
Mode of Operation on page 4, continuing onto page 5; Figure 1 0) 

8. A packet communication system Vifitere a transferred packet is filtered, 
said packet communication system characterized by being provided with: a 
packet transmitting apparatus for storing filtering information for use In filtering at 
a receiving side 3n a packet to be sent to the receiving sicte and sending it from a 
sending side, a packet receiving apparatus for receiving an encrypted packet, at 
the receiving side, from the sending side through a network between a server and 
client, detecting filtering information stored in the received packet, holding 
predetermined filtering Information of the receiving side, comparing filtering 
information of the sending side detected from the packet with the filtering. 
Information of the receiving side, and, when the two do not match, discarding that 
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packet, and an authentication apparatus for receiving user auflienfication ' 
Information Input from a user receiving filtering service; authenticating the user, 
and assigning and distributing a filter key as filtering .information corresponding to 
the user authentication information to the user after the authenticaflon, (See e.g, f 
English translation of Exhibit I, Technology for Solving the Problem, page 4) 
wherein an IpvB extended header added to an Ipv6 header or in a flow label 
region in an Ipv6 header Is used to transmit the filtering Information so as to 
prevent the filtering Information from being encrypted, when fte packet Is a 
packet fn compliance with tpv6, wherein said filtering information is used for 
identifying a specific value showing a VoIP performing VoIP communication, (see 
e,g, a English translation of Exhibit I, page 2, claim 5; and k Made of Operation on 
page 4, continuing onto page 5; Figure 10) 

9. A packet communication system where a filtering service is provided for 
an encrypted packet transfened through a network between a server and a client, 
the packet communication system characterized by being provided with: funcfon 
units used for access from the server or client of the user side to the network, that 
is, a first function unit for receiving user authentication information and 
authenticating the user and a second function unit for restricting access by 
assigning and distributing a fitter key as filtering information corresponding to the 
user authentication Information to the user after the authentication, (See e.g M 
English translation of Exhibit I, Technology for Solving the Problem, page 4) 
wherein an Ipve extended header added to an Ipv6 header or in a flow label 
region In an lpv6 header is used to trarismft the filtering informatfon so as to 
prevent the filtering information from being encrypted, when the packet is a 
packet in compliance with Ipv6, wherein said filtering key Is used for Identfryjng a 
specific value showing a VoIP performing a VoIP communication, (see e.g„ 
English translation of Exhibit l, page claim 5; and Mode of Operation on page 
4> continuing onto page 5; Figure 10) 

10. A packet communication system where a filtering service is provided 
for an encrypted packet transferred through a network between a server and a 
client, the packet communication system characterized by being provided with: 
function units used for access from a user on a network side ta the server or 
client, that fc," a first function unit for receiving user authentication information and 
authenticating the user and a second function unit for restricting access by 
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assigning and distributing a filter key as filtering. information corresponding to the 
user authentication information to the user after the authentication, (See a.g., 
English translation of Exhibit I, Technology for Solving the Problem, f>aga4) ' 
wherein when the packet is a packet in compliance with lpv6,an IPv6 extended 
header added to an IPv6 header or In a flow label region in an IPv6 header 1b 
used to transmit the filtering information so as to prevent the filtering information 
from being encrypted, wherein said filtering Information/filtering key is used for 
Identifying a specific vaiue showing a VoIP performing a VoIP communication, 
(see e.g., English translation of Exhibit I, page 2, claim 6; and Mode of Operation 
on page 4, continuing onto page 5; Flgurfc 10) 

14. A method* comprising: storing information in an extended header of an' 
encrypted packet incompliance With.lPv6 to prevent the information from being 
encrypted, the information indicating that a communication is over VoIP; and 
transmitting, to the receiving side, the encrypted packet with the information to 
enabie filtering of the communication, (see e.g„ English translation of Exhibit i, 
page 2, claim 4; and Technology for Solving the Problem, page 4) 

6 r On January 19, 2001 , a Draft Specification was sent to Fujitsu Limited Patent 

Department for review from Selwa Patents Law Office. (See English 
Translation of Exhibit ill). 

6- On or about February 14, 2001 , correspondence dated February 1 , 20Q1 Was 

received by Seiwa Patent & Law Office (formerly A. Aoki, Ishida, and 
Assoolates) from the Fujitsu Patent Department regarding a review of the draft 
Specification and a request for corrections. In the correspondence, there is a 
stamp from Staff of the Fujitsu Patent Department dated February 8, 2001 as 
well as a stamp from a Manager of the Fujitsu Patent Department dated 
February 9, 2001 (See English Translation of Exhibit III) 

7. On or about February 19, 2001, Japan^Application No. 2001-041746 wasfiled 
based upon the Specification of invention In Exhibit ! dated prior to December 
29, 2000 and corresponding review of the Draft Specif? cation in Exhibit III. 

8. • On or about February 19, 2002, PCT Application No. PCT/JP02/O1434 was 

filed based upon Japan Application No, 2001-041746. 

9. Oh or about, August 15, 2003, Junlchi Tsuruta of A. Aoki, Ishida, and 
Associates, requested Staas & Halsey LLP to file a U.S. application. 
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10. On or about August 18. 2003, the above-Identified application, which claims . 
priority fo Japan Application No, 2001-041746 & PCT Applica6on No. 
PCT/JP02/01434, was filed by an attorney of Staas & Halsey LLP. 

11. The redacted dates oh Exhibit I snd Exhibit U indicate that the invention was 
conceived prior to December 29, 2000, 

12. 1 deplare that all* statements made herein of my owh knowledge are true and 
that all statements made on information and belief are beloved to be true; and 
further that these statements were made with the knowledge that willful felsa 
statements and the like so made are punishable by fine or imprisonment, or 
both* under Sectloa1001 Title 18 of the Unfted States Code and that such 
vwiifiit false statements may jeopardise the validity of the application or any 
patent Issuing thereon. 

Naoki Matsuhira * 
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%^#it^# Inventor Declaration 



I /We declare that the invention disclosed in the attachment was conceived/made by me/us on 

feT/l bonxn— / Date f^c+^ci 
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Inventor Name 


(D) « =S 
Signature 
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Date 
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EAffltlSiir Witness Declaration 



I declare that I have reviewed and understood the invention disclosed in the attached 
paper. Here, I sign and put my stamp with the date as confirmation of my understanding. 



(G) 5t|g#ft€ 
Witness Name 


(H) * « 
Signature 
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Date 
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Stamp 
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| Version | IHL. | Type of Service | Total Length | 

H I i I \ I i I I I h— H I \ I I I h — I I I I I I — +-+-+-+-+-+-+-+-+ 

I Identification | Flags | Fragment Offset | 

+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+^ 

I Time to Live | Protocol | Header Checksum | 

+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

I Source Address I 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--{ — +-+-+-+-+-+-+-+-+-+ 

I Destination Address | 

+ _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + 

I Options I Padding | 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+^ 
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I Pay load length | Next Header | Hop Limit | 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-.+-+-+-+-+-+-+-+ 

I I 
+ + 

I I 

+ Source Address + 

i i 
+ + 

i i 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

i i 

+ + 

i i 
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+ + 
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| Source Port | Destination Port | 
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I Sequence Number | 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

I Acknowledgment Number | 

+ ^ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + _ + __ f ._ + 

I Data I |U|A|P|R|S | F| | 

| Offset | Reserved |R|C|S|S|Y|I| Window | 

I I |G|K|H|T|N|N| | 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+^+-+-+-+-+-+-+--+-+ 
I Checksum | Urgent Pointer | 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
I Options | Padding | 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

I data | 
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. . . ... . _ . ^ .NTP0009-03 

SPECIFICATION OF INVENTION 

Naoki Matsuhira 
Business Planning Department No. 2 

1. TITLE OF THE INVENTION 
Filtering Service Method and System 

2. CLAIMS (DRAFT) 
Claim 1 

A method newly providing a storage field for filtering 
information in a packet , comparing information stored in 
that field and entries of a table storing filtering 
information stored in an apparatus performing filtering, 
and filtering out the packet when the contents do not 
match . 

Claim 2 

A filtering method newly providing a storage field of 
filtering inf ormation in a packet and not completely 
prohibiting even applications where the value of the port 
no. becomes unidentif ied, but filtering out ones other than 
required and thereby enabling suitable filtering even for 
applications where the value of the port no. would become 
unidentified and a service realized by that method. 

Claim 3 

A filtering method newly providing a storage field of 
filtering information in a packet and not completely 
prohibiting even cases where the value of the port no. is 
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encrypted, but "filtering out ones -other-* -than r.squ-i red - and - 
thereby enabling suitable filtering even when the value of 
the port no. is unclear and a service realized by that 
method. 

Claim 4 

A filtering method storing filtering information using a 
newly provided IPv6 extension header in claims 1, 2, and 3. 

Claim 5 

A communication apparatus performing filtering by regarding 
a flow label value in IPv6 as filtering information in 
claims l f 2, and 3. 

3. DETAILED DESCRIPTION OF THE INVENTION 

(1) Field of Utilization in Industry 

The present invention relates to filtering for 
securing security on the Internet. "Filtering" is a 
technique equipped at a firewall, router, or host used when 
a company connects to the Internet and discarding packets 
satisfying certain conditions. For example, it is not 
desirable to transfer a packet including a private address 
used at an Intranet as it is to the Internet, so the 
practice is to filter out a packet including a private 
address or designate a port no. for a specific application 
and thereby filter out a packet including the port no. 

(2) Prior Art 

FIG. 1 is a view for explaining the prior art. 
Filtering is performed by comparing data included in a 
packet with data included in a table storing filtering 
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----- - f condition^- Speci'ti^al±yr> f ox-example,- i*n- the case .of. .-the.-.. 

IP, the destination IP address, source IP address, 
destination port no., source port no., etc. and, further, 
the TCP or other information included in the higher layer 
and data included in the application are used in some 
cases. FIG. 2 is a view of an IPv4 header, FIG. 3 is a view 
of an IPv6 header, FIG. 4 is a view of a TCP header, and 
FIG. 5 is a view of a UDP header. The destination IP 
address and source IP address are shown in FIG. 2 and FIG. 
3. Further, the destination port no. and the source port 
no. are shown in FIG. 4 and FIG. 5. 

(3) Problem to be Solved by the Invention 

In this regard, according to the prior art, it is 
necessary to set the conditions for filtering in advance. 
There was the problem that along with the increase in 
conditions, the number of entries of settings increased. 
Further, in the VoIP and other peer-to-peer applications 
where the port nos. are determined by dynamic negotiation, 
filtering is not possible by static settings. As a result, 
to secure security, it is necessary to filter out VoIP as a 
whole. There is therefore the problem that VoIP cannot de 
facto be used. Furthermore, when performing encrypting by 
IPsec, the information included in the TCP header and the 
UDP header ends up being encrypted, so there is the problem 
that filtering using port nos. is not possible. 

The present invention has as its object the 
realization of a filtering method able to streamline the 
conditions for setting the filtering and thereby reduce the 
number of entries and, furthermore, able to handle even 
VoIP or IPsec. 
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(4) Technology for Solving the Problem 

A view of the principle of the invention of the 
present invention is shown in FIG. 6. A packet is newly 
given information serving as a filtering key. The filter 
key is set in a table of the apparatus. The filter key is 
set by a host generating the packet. The filter key may be 
notified by dynamic negotiation or may be acquired from a 
manager . 

The format of an IPv6 extension header storing the 
filter key to be given to a packet is shown in FIG. 7 
(corresponding to claim 4) . This format is based on the 
option format of IPv6 and stores the filter key 
information. 

A host setting a certain filter key stores the filter 
key in the generated packet and transmits the packet. When 
the filter key differs from that of the party being 
communicated with, a filter key in accordance with the 
other party is set. A router having a filtering function on 
the communication path or a host of the other party 
compares the information of the filter key included in the 
packet and a filter key set in the system and discards the 
packet when they do not match. 

(5) Mode of Operation 

According to the present invention, the information 
set in the apparatus need only be the filter key. The 
settings are greatly streamlined. Furthermore, when there 
are several comparison parameters, the comparison 
conditions (AND or OR) become complicated, but according to 
the present invention, a single value is enough, so it is 
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-possible- to simplify- the--compari-s-0n*l-©gic.-aaricl> an .increase 

in the processing speed can be expected. Further, in an 
application such as the VoIP where it is not possible to 
judge if a packet should be filtered out by just comparing 
the port nos., this becomes possible by comparison of the 
filter keys, so an application such as the VoIP with a host 
outside of the firewall can be used. Note that in the 
present invention, a field for carrying the filter key is 
newly added, but it is also possible to use the flow label 
field of the IPv6 header, 

( 6 ) Embodiments 

FIG. 8 is a view of an embodiment of a packet 
transmitting function of a host in claim 4, while FIG. 9 is 
a view of an embodiment of a packet receiving function of a 
router or host in claim 4. A host transmitting a packet, 
when generating a packet, assembles an option header based 
on the filter key set by a keyboard or other means so as to 
generate a packet including this option header as well. A 
router relaying the packet or a host receiving it detects 
the option field storing the filter key, searches if the 
filter key taken out from there has been set in advance, 
and, when there is no hit, discards the packet. 

FIG. 10 is a view of an embodiment of a packet 
transmitting function of a host in claim 5, while FIG. 11 
is a view of an embodiment of a packet receiving function 
of a router or host in claim 5. A host transmitting a 
packet, when generating a packet, sets the filter key set 
by a keyboard or other means in the flow label field of an 
IPv6 header so as to generate a packet. A router relaying 
the packet or a host receiving it detects the filter key 
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-f roirc-bhe' fcsy -ba? 

been set, and, when there is no hit, discards the packet. 

These processing are effective when performed by a 
router or firewall connecting for example enterprise and 
ISP. Communication with a terminal in the enterprise 
becomes possible only for communication where the filter 
key matches at a terminal connected on the Internet. 

(7) Effects of the Invention 

As explained above, according to the present 
invention, there is the effect that it is possible to 
streamline the comparison logic and to slash the number of 
settings. That is, in the prior art, there were four 
parameters such as the IP address and port no., but there 
may be cases where the AND of all of the parameters is 
taken, where a certain parameter is ignored, and other 
various combinations. As opposed to this, in the present 
invention, this is realized by just the information of a 
single filter key. Regarding the number of settings, the 
prior art lists all of the IP addresses of terminals, while 
by using the same filter key at all of these terminals, it 
is possible to slash the number of settings to one. 

Further, even with applications such as the VoIP which 
were difficult to handle in the prior art or when 
applications cannot be identified due to encoding of IPsec, 
filtering becomes possible in accordance with need. 
Services which had to be completely banned in the past can 
be realized securely by the present invention. 

In the above way, it is possible to run Internet and 
Intranet applications securely, so there is a large 
contribution of the expansion of services using such 
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4. BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a view for explaining the prior art. 
FIG. 2 is a view of an IPv4 header. 
FIG. 3 is a view of an IPv6 header. 
FIG. 4 is a view of a TCP header. 
FIG. 5 is a view of a UDP header. 

FIG. 6 is a view of the inventive principle of the 
present invention. 

FIG. 7 is a view for explaining the format of an IPv6 
extension header storing a filter key newly given to a 
packet . 

FIG. 8 is a view of an embodiment of a packet 
transmitting function of a host in claim 4 . 

FIG. 9 is a view of an embodiment of a packet 
receiving function of a router or host in claim 4 . 

FIG. 10 is a view of an embodiment of a packet 
transmitting function of a host in claim 5. 

FIG. 11 is a view of an embodiment of a packet 
receiving function of a router or host in claim 5. 
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